From 96fd83b1a4a62e6021fd0048f8f8c8bba9563e38 Mon Sep 17 00:00:00 2001
From: Xavier Mouligneau <189600+XavierM@users.noreply.github.com>
Date: Mon, 26 Oct 2020 11:20:16 -0400
Subject: [PATCH] [SECURITY SOLUTION] exclude cloud alias index from our query
 (#81551)

* exclude cloud alias index

* only exclude cloud alias when logs-* is there
---
 .../common/store/sourcerer/selectors.test.ts  | 70 +++++++++++++++++++
 .../common/store/sourcerer/selectors.ts       | 11 ++-
 2 files changed, 79 insertions(+), 2 deletions(-)
 create mode 100644 x-pack/plugins/security_solution/public/common/store/sourcerer/selectors.test.ts

diff --git a/x-pack/plugins/security_solution/public/common/store/sourcerer/selectors.test.ts b/x-pack/plugins/security_solution/public/common/store/sourcerer/selectors.test.ts
new file mode 100644
index 0000000000000..e6577f2461a9e
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/common/store/sourcerer/selectors.test.ts
@@ -0,0 +1,70 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { cloneDeep } from 'lodash/fp';
+import { mockGlobalState } from '../../mock';
+import { SourcererScopeName } from './model';
+import { getSourcererScopeSelector } from './selectors';
+
+describe('Sourcerer selectors', () => {
+  describe('getSourcererScopeSelector', () => {
+    it('Should exclude elastic cloud alias when selected patterns include "logs-*" as an alias', () => {
+      const mapStateToProps = getSourcererScopeSelector();
+      expect(
+        mapStateToProps(mockGlobalState, SourcererScopeName.default).selectedPatterns
+      ).toEqual([
+        'apm-*-transaction*',
+        'auditbeat-*',
+        'endgame-*',
+        'filebeat-*',
+        'logs-*',
+        'packetbeat-*',
+        'winlogbeat-*',
+        '-*elastic-cloud-logs-*',
+      ]);
+    });
+
+    it('Should NOT exclude elastic cloud alias when selected patterns does NOT include "logs-*" as an alias', () => {
+      const mapStateToProps = getSourcererScopeSelector();
+      const myMockGlobalState = cloneDeep(mockGlobalState);
+      myMockGlobalState.sourcerer.sourcererScopes.default.selectedPatterns = myMockGlobalState.sourcerer.sourcererScopes.default.selectedPatterns.filter(
+        (index) => !index.includes('logs-*')
+      );
+      expect(
+        mapStateToProps(myMockGlobalState, SourcererScopeName.default).selectedPatterns
+      ).toEqual([
+        'apm-*-transaction*',
+        'auditbeat-*',
+        'endgame-*',
+        'filebeat-*',
+        'packetbeat-*',
+        'winlogbeat-*',
+      ]);
+    });
+
+    it('Should NOT exclude elastic cloud alias when selected patterns include "logs-endpoint.event-*" as an alias', () => {
+      const mapStateToProps = getSourcererScopeSelector();
+      const myMockGlobalState = cloneDeep(mockGlobalState);
+      myMockGlobalState.sourcerer.sourcererScopes.default.selectedPatterns = [
+        ...myMockGlobalState.sourcerer.sourcererScopes.default.selectedPatterns.filter(
+          (index) => !index.includes('logs-*')
+        ),
+        'logs-endpoint.event-*',
+      ];
+      expect(
+        mapStateToProps(myMockGlobalState, SourcererScopeName.default).selectedPatterns
+      ).toEqual([
+        'apm-*-transaction*',
+        'auditbeat-*',
+        'endgame-*',
+        'filebeat-*',
+        'packetbeat-*',
+        'winlogbeat-*',
+        'logs-endpoint.event-*',
+      ]);
+    });
+  });
+});
diff --git a/x-pack/plugins/security_solution/public/common/store/sourcerer/selectors.ts b/x-pack/plugins/security_solution/public/common/store/sourcerer/selectors.ts
index ca9ea26ba5bac..f0859a0fb9b66 100644
--- a/x-pack/plugins/security_solution/public/common/store/sourcerer/selectors.ts
+++ b/x-pack/plugins/security_solution/public/common/store/sourcerer/selectors.ts
@@ -81,11 +81,18 @@ export const defaultIndexNamesSelector = () => {
   return mapStateToProps;
 };
 
+const EXLCUDE_ELASTIC_CLOUD_INDEX = '-*elastic-cloud-logs-*';
 export const getSourcererScopeSelector = () => {
   const getScopesSelector = scopesSelector();
 
-  const mapStateToProps = (state: State, scopeId: SourcererScopeName): ManageScope =>
-    getScopesSelector(state)[scopeId];
+  const mapStateToProps = (state: State, scopeId: SourcererScopeName): ManageScope => ({
+    ...getScopesSelector(state)[scopeId],
+    selectedPatterns: getScopesSelector(state)[scopeId].selectedPatterns.some(
+      (index) => index === 'logs-*'
+    )
+      ? [...getScopesSelector(state)[scopeId].selectedPatterns, EXLCUDE_ELASTIC_CLOUD_INDEX]
+      : getScopesSelector(state)[scopeId].selectedPatterns,
+  });
 
   return mapStateToProps;
 };